[FFmpeg-trac] #4299(avcodec:new): mpeg2: crash with fuzzed file

FFmpeg trac at avcodec.org
Tue Feb 10 21:19:27 CET 2015


#4299: mpeg2: crash with fuzzed file
------------------------------------+-----------------------------------
             Reporter:  tholin      |                    Owner:
                 Type:  defect      |                   Status:  new
             Priority:  normal      |                Component:  avcodec
              Version:  git-master  |               Resolution:
             Keywords:              |               Blocked By:
             Blocking:              |  Reproduced by developer:  0
Analyzed by developer:  0           |
------------------------------------+-----------------------------------

Comment (by tholin):

 I can trigger the crash on several of my systems but if I build with ASan
 or without pthreads it won't crash. The crashes seems to be random and I
 guess it's dependent of the precise layout of the address space. I did
 some more fuzzing with the previous file as input and got some files with
 valgrind warnings. I add them too.

 {{{
 $ valgrind ./ffmpeg -v 9 -loglevel 99 -i ~/fuzz/ffmpeg_mpeg2_crash2.mpg -f
 null -
 ==27304== Memcheck, a memory error detector
 ==27304== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
 ==27304== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright
 info
 ==27304== Command: ./ffmpeg -v 9 -loglevel 99 -i
 /home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg -f null -
 ==27304==
 ffmpeg version N-69683-g8b77c4d Copyright (c) 2000-2015 the FFmpeg
 developers
   built with gcc 4.8.3 (Gentoo 4.8.3 p1.1, pie-0.5.9)
   configuration: --enable-debug=gdb --disable-optimizations --disable-
 stripping
   libavutil      54. 18.100 / 54. 18.100
   libavcodec     56. 21.102 / 56. 21.102
   libavformat    56. 19.100 / 56. 19.100
   libavdevice    56.  4.100 / 56.  4.100
   libavfilter     5.  9.104 /  5.  9.104
   libswscale      3.  1.101 /  3.  1.101
   libswresample   1.  1.100 /  1.  1.100
 Splitting the commandline.
 Reading option '-v' ... matched as option 'v' (set logging level) with
 argument '9'.
 Reading option '-loglevel' ... matched as option 'loglevel' (set logging
 level) with argument '99'.
 Reading option '-i' ... matched as input file with argument
 '/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg'.
 Reading option '-f' ... matched as option 'f' (force format) with argument
 'null'.
 Reading option '-' ... matched as output file.
 Finished splitting the commandline.
 Parsing a group of options: global .
 Applying option v (set logging level) with argument 9.
 Successfully parsed a group of options.
 Parsing a group of options: input file
 /home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg.
 Successfully parsed a group of options.
 Opening an input file: /home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg.
 [mpegvideo @ 0x7e48da0] Format mpegvideo probed with size=2048 and
 score=51
 [mpegvideo @ 0x7e48da0] Before avformat_find_stream_info() pos: 0 bytes
 read:122 seeks:0
 [mpeg1video @ 0x7e5af40] frame_rate_index 0 is invalid
     Last message repeated 1 times
 [mpegvideo @ 0x7e48da0] Estimating duration from bitrate, this may be
 inaccurate
 [mpegvideo @ 0x7e48da0] After avformat_find_stream_info() pos: 122 bytes
 read:122 seeks:0 frames:2
 Input #0, mpegvideo, from '/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg':
   Duration: 00:00:00.00, bitrate: 19918 kb/s
     Stream #0:0, 2, 1/1200000: Video: mpeg2video (Main), yuv420p(tv,
 center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/24000, 19737 kb/s, 11.99
 tbr, 1200k tbn, 23.98 tbc
 Successfully opened the file.
 Parsing a group of options: output file -.
 Applying option f (force format) with argument null.
 Successfully parsed a group of options.
 Opening an output file: -.
 Successfully opened the file.
 detected 8 logical cores
 [graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'video_size' to value
 '4099x12'
 [graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'pix_fmt' to value '0'
 [graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'time_base' to value
 '1/1200000'
 [graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'pixel_aspect' to
 value '64/12297'
 [graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'sws_param' to value
 'flags=2'
 [graph 0 input from stream 0:0 @ 0x7e76ec0] Setting 'frame_rate' to value
 '24000/2002'
 [graph 0 input from stream 0:0 @ 0x7e76ec0] w:4099 h:12 pixfmt:yuv420p
 tb:1/1200000 fr:24000/2002 sar:64/12297 sws_param:flags=2
 [AVFilterGraph @ 0x7e75000] query_formats: 3 queried, 2 merged, 0 already
 done, 0 delayed
 Output #0, null, to 'pipe:':
   Metadata:
     encoder         : Lavf56.19.100
     Stream #0:0, 0, 1001/12000: Video: rawvideo (I420 / 0x30323449),
 yuv420p(center), 4099x12 [SAR 64:12297 DAR 16:9], 1001/12000, q=2-31, 200
 kb/s, 11.99 fps, 11.99 tbn, 11.99 tbc
     Metadata:
       encoder         : Lavc56.21.102 rawvideo
 Stream mapping:
   Stream #0:0 -> #0:0 (mpeg2video (native) -> rawvideo (native))
 Press [q] to stop, [?] for help
 [mpeg2video @ 0x7e6ffe0] frame_rate_index 0 is invalid
     Last message repeated 1 times
 [mpeg2video @ 0x7e6ffe0] Missing picture start code, guessing missing
 values
 [mpeg2video @ 0x7e6ffe0] Missing picture start code
 [mpeg2video @ 0x7e6ffe0] warning: first frame is no keyframe
 ==27304== Invalid read of size 16
 ==27304==    at 0x1036F9C: ??? (hpeldsp.asm:480)
 ==27304==    by 0xACDBA4: mpv_motion_internal (mpegvideo_motion.c:951)
 ==27304==    by 0xACDBA4: ff_mpv_motion (mpegvideo_motion.c:981)
 ==27304==    by 0xAA5536: mpv_decode_mb_internal (mpegvideo.c:3153)
 ==27304==    by 0xAA5536: ff_mpv_decode_mb (mpegvideo.c:3287)
 ==27304==    by 0xA57B76: mpeg_decode_slice (mpeg12dec.c:1879)
 ==27304==    by 0xA5A8CC: decode_chunks (mpeg12dec.c:2710)
 ==27304==    by 0xA5AC6F: mpeg_decode_frame (mpeg12dec.c:2787)
 ==27304==    by 0xBFF2F9: avcodec_decode_video2 (utils.c:2372)
 ==27304==    by 0x4248A3: decode_video (ffmpeg.c:1958)
 ==27304==    by 0x425A09: process_input_packet (ffmpeg.c:2206)
 ==27304==    by 0x42C2B6: process_input (ffmpeg.c:3696)
 ==27304==    by 0x42C63F: transcode_step (ffmpeg.c:3790)
 ==27304==    by 0x42C74F: transcode (ffmpeg.c:3842)
 ==27304==  Address 0x80ae6d0 is 1 bytes after a block of size 133,167
 alloc'd
 ==27304==    at 0x4C2B560: memalign (vg_replace_malloc.c:760)
 ==27304==    by 0x4C2B677: posix_memalign (vg_replace_malloc.c:913)
 ==27304==    by 0x11BBAFB: av_malloc (mem.c:95)
 ==27304==    by 0x11AC9FC: av_buffer_alloc (buffer.c:71)
 ==27304==    by 0x11ACA61: av_buffer_allocz (buffer.c:84)
 ==27304==    by 0x11AD099: pool_alloc_buffer (buffer.c:330)
 ==27304==    by 0x11AD1C7: av_buffer_pool_get (buffer.c:394)
 ==27304==    by 0xBFA098: video_get_buffer (utils.c:670)
 ==27304==    by 0xBFA3F2: avcodec_default_get_buffer2 (utils.c:730)
 ==27304==    by 0x42648F: get_buffer (ffmpeg.c:2380)
 ==27304==    by 0xBFB012: get_buffer_internal (utils.c:1019)
 ==27304==    by 0xBFB07E: ff_get_buffer (utils.c:1032)
 ==27304==
 [mpeg2video @ 0x7e6ffe0] invalid cbp -1 at 58 1
 [output stream 0:0 @ 0x7e78d40] EOF on sink link output stream
 0:0:default.
 No more output streams to write to, finishing.
 frame=    1 fps=0.0 q=0.0 Lsize=N/A time=00:00:00.16 bitrate=N/A
 video:0kB audio:0kB subtitle:0kB other streams:0kB global headers:0kB
 muxing overhead: unknown
 Input file #0 (/home/cocobo/fuzz/ffmpeg_mpeg2_crash2.mpg):
   Input stream #0:0 (video): 2 packets read (122 bytes); 1 frames decoded;
   Total: 2 packets (122 bytes) demuxed
 Output file #0 (pipe:):
   Output stream #0:0 (video): 0 frames encoded; 1 packets muxed (96
 bytes);
   Total: 1 packets (96 bytes) muxed
 3 frames successfully decoded, 0 decoding errors
 [AVIOContext @ 0x7e51ae0] Statistics: 122 bytes read, 0 seeks
 ==27304==
 ==27304== HEAP SUMMARY:
 ==27304==     in use at exit: 80 bytes in 2 blocks
 ==27304==   total heap usage: 1,171 allocs, 1,169 frees, 2,624,803 bytes
 allocated
 ==27304==
 ==27304== LEAK SUMMARY:
 ==27304==    definitely lost: 0 bytes in 0 blocks
 ==27304==    indirectly lost: 0 bytes in 0 blocks
 ==27304==      possibly lost: 0 bytes in 0 blocks
 ==27304==    still reachable: 80 bytes in 2 blocks
 ==27304==         suppressed: 0 bytes in 0 blocks
 ==27304== Rerun with --leak-check=full to see details of leaked memory
 ==27304==
 ==27304== For counts of detected and suppressed errors, rerun with: -v
 ==27304== ERROR SUMMARY: 15 errors from 1 contexts (suppressed: 0 from 0)

 }}}

--
Ticket URL: <https://trac.ffmpeg.org/ticket/4299#comment:4>
FFmpeg <https://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list